Adware shows deleted but is found again in new scan

[Diana]

The following programs were identified by AntiSpyWare,
deleted, and then showed up in a new scan after a restart
30 minutes later:

SearchMiracle.AdDownloader (Trojan)

SearchMiracle.EliteBar (Browser Plug-in)

 

[AndyManchesta]

Just incase this is a different diana who posted the
question about the cookie i thought id resend my answer
as its the same problem
Not going the MS Antispy route as i know this is a tricky
one to remove but follow these tips and let me know if
you need anymore help (maybe copy it to note pad so you
can read it even when in safe mode)


First download these if you dont already have them,its
important you use all as they all do something different
and then update the definitions when istalled but dont
need to run any of them yet just update now while we are
still in normal mode:

Ad-aware SE

http://www.majorgeeks.com/downloadget.php?
id=506&file=11&evp=8dbaff7daca8f4b55bf695220993fc0f

Spybot Search & Destroy

http://www.majorgeeks.com/downloadget.php?
id=2471&file=11&evp=2470f9bfb0cc682334ff8c4459556118

SpywareBlaster

http://majorgeeks.com/downloadget.php?
id=2859&file=11&evp=61b0e8ad41924a03c37615f4682b4cef

CWShredder

http://www.majorgeeks.com/downloadget.php?
id=4086&file=11&evp=6742c4ccda2599a3d6c5901960cc6e24

CCleaner (removes unused and temporary files from your
system)

http://majorgeeks.com/downloadget.php?
id=4191&file=11&evp=a12d758b021af1a4f0a6bfe45b0c7a82


Now to removing :

Reboot and go into safe mode(Tapping F8 on the bios
screen to you get the options)

Check the Add/Remove screen for any signs of these and
remove if found

SearchMiracle
SurfSideKick 2
EliteToolBar
ZESOFT
Windows ControlAd
WeatherBug

Search for these files and delete any found(go to search
then to tools at the top bar,then folder options,go to
the second page and make sure there is a tick next
to 'show hidden files and folders' )

C:\Program Files\Windows AdTools (whole folder)
C:\WINDOWS\EliteToolBar (whole folder)
C:\WINDOWS\autoupdt.exe
C:\WINDOWS\SYSTEM32\WINYRS32.EXE
C:\WINDOWS\EliteBar <---- delete the whole directory
C:\windows\system32\winvju32.exe
searchmiracle (look for any files but unlikely to find)

Now while still in safe mode run Adaware,Spybot and
CWShredder

Then run CCleaner and follow the onscreen commands

Then go to Start,Run type %temp% and delete anything you
find in here or as much as possible as they are not needed

Then go to start again run and type cleanmgr to clean up
your disk space

Now reboot your PC and hopefully it will be gone,now run
Spyware blaster and update then enable all protection.

And thats it I think we would of killed it I'm going to
post Nortons Way at the bottom of this page but
personally find it to be a pain but if you feel confident
using regedit then maybe check for them,the problem with
there method is that they group alot of adware together
as searchmiracle tries to add these other sites into your
safe list which makes it possible other stuff has got
through but if you think its searchmiracle then this will
have deleted all the files and folders.


If you need any more help just post back and i will be
back on later today so will reply then

Good luck

Regards Andy






Heres Nortons Approach to removing the registry changes



Click Start > Run.

Type regedit

Then click OK.


Navigate to and delete these keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Internet Settings\ZoneMap\Domains\blazefind.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Internet Settings\ZoneMap\Domains\clickspring.net
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Internet Settings\ZoneMap\Domains\flingstone.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Internet Settings\ZoneMap\Domains\mt-download.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Internet Settings\ZoneMap\Domains\my-internet.info
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Internet Settings\ZoneMap\Domains\searchbarcash.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Internet Settings\ZoneMap\Domains\searchmeup.cc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Internet Settings\ZoneMap\Domains\searchmiracle.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Internet Settings\ZoneMap\Domains\skoobidoo.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Internet Settings\ZoneMap\Domains\slotch.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Internet Settings\ZoneMap\Domains\xxxtoolbar.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Internet Settings\ZoneMap\Ranges\Range1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Internet Settings\ZoneMap\Domains\blazefind.com
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Internet Settings\ZoneMap\Domains\clickspring.net
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Internet Settings\ZoneMap\Domains\flingstone.com
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Internet Settings\ZoneMap\Domains\mt-download.com
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Internet Settings\ZoneMap\Domains\my-internet.info
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Internet Settings\ZoneMap\Domains\searchbarcash.com
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Internet Settings\ZoneMap\Domains\searchmeup.cc
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Internet Settings\ZoneMap\Domains\searchmiracle.com
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Internet Settings\ZoneMap\Domains\skoobidoo.com
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Internet Settings\ZoneMap\Domains\slotch.com
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Internet Settings\ZoneMap\Domains\xxxtoolbar.com
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Internet Settings\ZoneMap\Ranges\Range1


Navigate to the key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersio
n\WinTrust\Trust Providers\Software Publishing\Trust
Database\0


In the right pane, delete the values:

" ppcimdnnnjbeahepfabjipfginloedkg egckak" = "CDT inc."
"goicfboogidikkejccmclpieicihhlpo ejemdn" = "MediaTickets"
"goicfboogidikkejccmclpieicihhlpo bihgbp" = "Integrated
Search Technologies"


Navigate to the keys:

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVers
ion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersio
n\Internet Settings


In the right pane, delete the values:

"MinLevel" = "Code Download"
"Safety Warning Level" = "SucceedSilent"
"Security_RunActiveXControls" = "0x01000000"
"Security_RunScripts" = "0x01000000"
"Trust Warning Level" = "No Security"


Navigate to the key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersio
n\Internet Settings\Zones\2


In the right pane, delete the values:

"2001" = "0x00000000"
"2004" = "0x00000000"


Exit the Registry Editor.

 

[AndyManchesta]

I posted a old link for CWShredder the new version can be
got from this link

Version 2.13

http://cwshredder.net/bin/CWShredder.exe

 

[PBear]

-----Original Message-----
The following programs were identified by AntiSpyWare,
deleted, and then showed up in a new scan after a restart
30 minutes later:

SearchMiracle.AdDownloader (Trojan)

SearchMiracle.EliteBar (Browser Plug-in)
.

It seems incredible with all the resources and employees
that MS has that they can't come up with something that
works well the first time. We, the people who own computers
are left with the responsibility of finding out how to
solve the problems brought about by unstable and unfinished
software.

Now, I've always been of the belief that authority implies
responsibility. If I'm wrong about this, please correct me.

Getting to the problems at hand that I see posted here. I
had those problems a few days ago. Couldn't even get rid of
a program called "istsvce" to save my life. Adware removed
it and then it appeared two minutes later.

This is what I did. In no way or manner do I recommend
anyone to do the following. It is being posted here as a
reference to the steps that I took to solve MY problem.

1. Installed the FireFox browser and use it as my default.
2. Increased the security levels of IE to maximum/high. I
still have it installed because all the MS programs use it.
3. Installed a free firewall that I downloaded in the Internet.

After doing the above I haven't had ANY spyware sneaking
into my computer. I'm a happy guy.

Thank you for your attention.

 

[Bill Sanderson]

Symantec has manual removal instructions for this critter:

http://securityresponse.symantec.com/avcenter/venc/data/adware.elitebar.html

You may want to use the System Explorer functions of Microsoft
Antispyware--thay may allow you to block or permanently remove the browser
plugin portion of this critter.

 

[Ron Chamberlin]

PBear,
<We, the people who own computers are left with the responsibility of
finding out how to

solve the problems brought about by unstable and unfinished software.>

You, the users, are responsible for allowing much of this junk into your
pc's in the first place.
Folks, you gotta read the EULA's when you get something, especially when
it's for 'free.'

PBear is right, you should have a firewall, and have it turned on. You
should also have a current and up to date AV product running.


Ron Chamberlin
MS-MVP